For two decades, most security budgets flowed toward technical controls: firewalls, endpoint agents, segmentation, patching. Those controls still matter. But the dominant way into a modern organization is no longer an unpatched server — it is a person. When an employee clicks a crafted link, approves a fraudulent invoice, or reuses a password, the most expensive perimeter in the world is bypassed in seconds.
For a CISO or IT manager operating under NIS 2, this shifts where attention — and evidence — has to go.
The numbers are hard to ignore
Industry data has been pointing the same direction for years. Roughly 82% of breaches involve a human element — a click, a misdelivery, a stolen credential, or a social-engineering manipulation. At the same time, around 70% of working adults admit to knowingly taking risky actions that bypass security policy, usually to get their job done faster.
The conclusion is uncomfortable but clear. As Gartner has summarized it:
"Awareness is not the issue, human behavior is."
People generally know they should not click the link or skip the policy. They do it anyway, under pressure, in context, against attackers who now use generative AI to produce flawless, localized lures at scale.
Why traditional awareness training falls short
Most organizations already "do" awareness training. So why does the human entry point stay open? Because the common model is built to satisfy an audit, not to change behavior:
- Generic, annual modules that every employee clicks through once and forgets.
- One-size-fits-all content that ignores role, department, and individual risk.
- Phishing tests that are run occasionally and rarely feed back into targeted coaching.
- Reporting designed to prove a course was completed, not that risk went down.
Knowledge without reinforcement decays. A finance clerk handling supplier payments faces a different threat than a developer with production access, yet both usually receive the same slide deck.
What NIS 2 actually expects
NIS 2 raises the bar in two ways that matter here. First, Article 21 lists basic cyber hygiene practices and security awareness training as explicit risk-management measures — not optional extras. Second, it makes management bodies accountable for approving and overseeing those measures, with real consequences for failure.
In practice, that means a NIS 2 program needs more than a certificate of completion. It needs demonstrable, ongoing evidence that the human factor is being measured, that high-risk groups are identified, and that exposure is trending down over time.
From awareness to measurable behavior change
The shift is from "did people attend training" to "is risky behavior actually decreasing." A modern approach rests on a few principles:
- Risk scoring. Quantify human risk per user, team, and department so you can target effort where exposure is highest, rather than treating everyone the same.
- Adaptive, realistic simulation. Run phishing and social-engineering exercises that reflect current attacker techniques — including QR-code phishing, attachments, and localized lures — and adjust difficulty to the individual.
- Microlearning in the moment. When someone fails a simulation, deliver short, relevant coaching immediately, while the lesson is concrete.
- Personalization with data. Use behavioral data to tailor content to role and risk level, and to track whether resilience genuinely improves.
This turns the human layer into something a CISO can manage like any other control: with a baseline, a target, and a trend line.
The business case
Treating human risk seriously is not only a compliance exercise; the economics support it. Security awareness training has been associated with roughly a 70% reduction in security-related risks, and effective programs are linked to average savings in the order of $177,708 per organization by reducing the breaches that start with human error. Set against the cost of a single avoided incident, the return is straightforward.
How we approach it
At ClickSecure.AI we treat the human layer as a first-class control. Through our partnership with Awakeness.ai — a SaaS platform for awareness training and simulation, augmented by AI and data science — we combine human risk scoring, adaptive phishing simulation, and microlearning so that exposure is continuously measured and reduced, with audit-ready reporting for NIS 2, DORA, GDPR, ISO 27001 and similar frameworks.
The goal is not another annual course. It is a measurable, defensible reduction in the single largest source of breaches: people under pressure.
If the human factor is your largest unmanaged risk, it deserves the same rigor as the rest of your security program. Learn more about our Human Risk, Awareness & Phishing Simulation approach.
Sources: Gartner — employee behaviors research; Aruba (HPE) Digital Workplace Report; Keepnet Labs — 2024 security awareness training statistics.